Returns

The number of failed login attempts is tracked. Subsequent login attempts will sleep for
an equivalent number of seconds before processing, in order to frustrate brute force attacks.
A successful login will reset the counter to zero. Note that the password field is
unrestricted content.

Called whenever there is a privilege escalation (login) or at random intervals to reduce
risk of session hijacking. Note that the cross-site request forgery validation token remains
the same, unless the session is destroyed. This is to prevent the random session ID
regeneration events creating false positive CSRF checks.

Note that it allows the new and old sessions to co-exist for a short period, this is to
avoid headaches with flaky network connections and asynchronous (AJAX) requests, as explained
in the PHP Manual warning: http://php.net/manual/en/function.session-regenerate-id.php

Uses the default password hashing algorithm, which wa bcrypt as of PHP 7.2, with a cost
of 11. If logging in is too slow, you could consider reducing this to 10 (the default value).
Lowering it further will weaken the security of the hash.

Sets a token for use in cross-site request forgery checks on form submissions.

Sets a token for use in cross-site request forgery checks on form submissions.

A random token is generated and stored in the current session (if not already set). The value
of this token is included as a hidden field in forms when they are loaded by the user. This
allows forms to be validated via validateFormToken().

Forms contain a hidden field with a random token taken from the user's session. This token
is used to validate that a form submission did indeed originate from the user, by comparing
the value against that stored in the user's session. If they do not match then the request
could be a forgery and the form submission should be rejected.